Disabling HTTP TRACE / TRACK in all virtual host

Is there a standard place to put the rewrite conditions so that all of the virtual host are covered and/or so that new virtual host are covered automatically?

Background:
We just had a security audit and one of the few things that they found was that our ispconfig server allowed HTTP TRACE and HTTP TRACK methods. We need to disable them. 'mod_rewrite' is already part of the standard ispconfig configuration so we just need to add the following

@daveb - Unfortunately, that only works with certain versions of Apache. Furthermore, that directive is supposed to work in Apache 2.0.55, but it didn't do it for me. At least doing so didn't allow my server to pass the audit software I use and I'm not sure exactly how to test the vulnerability myself.

@rdike - I would think that one could change the function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php to something like this:

After making this change, I went into ISPConfig Admin and "Saved" one of my sites (assuming it would re-generate the Vhosts_ispconfig.conf file). However, the Vhosts file didn't update. I thought, "Perhaps I'm missing a conditional in the PHP and it's never getting to the point where it turns on the RewriteEngine." So, I even tried a total hack by sticking it the php variable (since all my sites have php enabled), but my Vhosts file was not updating.

So, now I've put those lines in an .htaccess file in the web root for each site, hoping that does the trick. I'll report back when the audit completes.

So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

*Edit: I should say, two questions to someone who's smarter than me, as we all know "something". Falko? Till? You out there?

So two questions here to someone who knows something*. 1) How do I update my Vhosts file? 2) How would you go about making this change? (assuming the .htaccess won't work for everyone even if it works out for me because all the sites I host are my own)

Click to expand...

Can you go to the directory where your Vhosts_ispconfig.conf is located and run

Falko,
I'm not sure either as to why the two Vhost files are identical size. I will look into this and report back (perhaps in a new topic).

However, in an attempt to close out this thread, I was able to disable TRACE using the "TraceEnable off" directive. The problem was that I was only turning it off on port 80 and not 81. Here is a site that made me realize I needed to do it for both ports, with some info on how to do it: